From: "Mark W. Eichin" <eichin@cygnus.com>
Date: Mon, 30 Nov 92 11:25:34 PST
To: pfarrell@cs.gmu.edu
Subject: re: Secure Key exchange
In-Reply-To: <9211301332.AA10244@cs.gmu.edu>
Message-ID: <9211301925.AA29778@tweedledumber.cygnus.com>
MIME-Version: 1.0
Content-Type: text/plain


>> I see no reason to hurry. A slowly growing web of trust that
>> is strong is far more useful than an exploding web of trash.
	precisely. I only sign keys when I've met the person
physically, and had them tell me that yes, they have a PGP key, and
yes, here are the lower bits (the keyid.) (The latter is a little
weak, I look forward to the MD5 output version...) I keep keyid's in
my "little black book" as well as my online keyring.
	Also, because keys are a reasonable "proof" that one is using
PGP, some people will only release their "public" keys to people they
will correspond with anyhow. (At least one key on the recent
cypherpunks key list was in that category.) 
	I have at this point signed keys of 6 people (the first three
over dinner at a chinese restaurant -- this didn't start a trend,
unfortunately :-) I haven't signed John Gilmore's key (even though I
work for him) since I haven't actually seen him in person, though I
may get a chance to when I'm in California next week -- this will
create a link between east-coast and west-coast signatures, though
possibly not the first.
				_Mark_ <eichin@athena.mit.edu>
				MIT Student Information Processing Board
				Cygnus Support <eichin@cygnus.com>